United States of America: National Institute of Standards and Technology released updated Security and Privacy Controls for Information Systems and Organisations (SP 800-53 5.2.0)

On 27 August 2025, the National Institute of Standards and Technology (NIST) issued a patch release of its Security and Privacy Controls for Information Systems and Organisations (SP 800-53 5.2.0). The Controls group together a catalogue of tools for organisations to manage their cybersecurity risk. The latest modifications respond to Executive Orders 14306, 13694, and 14144. The updated controls emphasise the importance of monitoring the particular component being updated as well as the component’s relationship to the overall system. Among the changes are three entirely new controls. First, logging syntax (SA-15) defines an electronic format for recording security-related events to support better incident response. Defining data formats facilitates automation and helps teams more quickly reconstruct security-related incidents. Second, root cause analysis (SI-02(07)) specifies conducting a review to find the cause of an issue or failure with the software update and coming up with an action plan and implementing it. Third, design for cyber resiliency (SA-24) recommends designing systems for survivability, the ability to anticipate, withstand, respond and recover from attack while maintaining critical functions. The update also revises the technical content of some existing controls and provides additional examples of how to implement them. In addition, NIST is now providing updates to the control catalogue through the tool, which allows downloads in machine-readable formats. The agency has also adopted a new public engagement process that allows stakeholders to respond to proposed changes in real time during comment periods and to make suggestions at any time.